Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN site to site with ASA5510 and 2801

I think I have tried everything. I dont get a hang of it. I have configured the ASA5510 with the ASDM with the VPN Guide. I have also configured the 2801 with the SDM, but the ASA says, similar to "Recived encrypted packet with no SA, dropping" Is there any guide how to do this?

3 REPLIES

Re: VPN site to site with ASA5510 and 2801

Hello,

without knowing the details of your configuration, check if you have the ´crypto map set pfs´ command set, if so, that might be the reason for your error (you can turn PFS off with the ´no crypto map set pfs´ command).

Otherwise, can you post your configuration(s) ?

Regards,

GNT

New Member

Re: VPN site to site with ASA5510 and 2801

asdm image disk0:/asdm504.bin

asdm location 192.168.3.0 255.255.255.0 vpn

asdm location 192.168.0.7 255.255.255.255 inside

asdm location 192.168.1.2 255.255.255.255 dmz

no asdm history enable

: Saved

:

ASA Version 7.0(4)

!

hostname abfw01

domain-name mydomainname.com

enable password removeforsecurity encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address myoutsideip 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 100

ip address 192.168.1.40 255.255.255.0

!

interface Ethernet0/3

nameif vpn

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.5.1 255.255.255.0

management-only

!

passwd xxxx

ftp mode passive

same-security-traffic permit inter-interface

object-group service http-https tcp

port-object eq www

port-object eq https

access-list inside_nat0_inbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list dmz_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list vpn_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list vpn_cryptomap_20_1 extended deny ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu vpn 1500

no failover

monitor-interface management

monitor-interface inside

monitor-interface outside

monitor-interface dmz

monitor-interface vpn

asdm image disk0:/asdm504.bin

no asdm history enable

arp timeout 14400

global (inside) 11 interface

global (outside) 10 interface

global (dmz) 12 interface

global (vpn) 14 192.168.3.2-192.168.3.254

global (vpn) 13 interface

nat (inside) 0 access-list inside_nat0_inbound outside

nat (inside) 10 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list dmz_nat0_inbound outside

nat (dmz) 10 0.0.0.0 0.0.0.0

nat (vpn) 10 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 myoutsideip 1

route vpn 192.168.3.0 255.255.255.0 192.168.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.5.0 255.255.255.0 management

http 213.100.0.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map vpn_map 20 match address vpn_cryptomap_20_1

crypto map vpn_map 20 set peer 192.168.10.2

crypto map vpn_map 20 set transform-set ESP-3DES-MD5

crypto map vpn_map interface vpn

isakmp enable vpn

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group 192.168.10.2 type ipsec-l2l

tunnel-group 192.168.10.2 ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxxx

: end

New Member

Re: VPN site to site with ASA5510 and 2801

Thank you for your reply. That problem is now resolved, but the problem now is that when i try to connect to dmz or inside that doesent work. I am new to cisco prehaps i have done something wrong? (even if i am connecting from inside i cant access dmz)

Thanks in advance!

293
Views
0
Helpful
3
Replies